usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-06-11 11:30:29 +01:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
1,837 Commits 27 Branches 61 Tags
dev_tahoe_updates
Commit Graph

1837 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Bob Gendler
f224f11c8d Merge pull request #658 from nancysangani/feat/issue-528-safari-allow-javascript
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details 
Add os_safari_allow_javascript_disable rule
 2026-04-06 14:54:41 -04:00
Bob Gendler
db4f38fdc5 Merge pull request #653 from nancysangani/fix/deprecated-softwareupdate-payload 
Replace deprecated com.apple.SoftwareUpdate payload with supported configuration
 2026-04-06 14:41:43 -04:00
Nancy
731bee2b34 feat: add os_safari_allow_javascript_disable rule for SC-18 and SC-18(4) (closes #528) 2026-04-06 23:44:07 +05:30
Nancy
ac1bbb61bb fix: replace deprecated com.apple.SoftwareUpdate payload with supported alternative 2026-04-03 23:34:36 +05:30
Bob Gendler
a3cabe9526 Added required MDM key
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details
2026-04-03 11:48:56 -04:00
Bob Gendler
3992e4580e Added supported ddm types
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details
2026-03-28 22:13:13 -04:00
Bob Gendler
64d50d819f Added DDM info 2026-03-28 21:19:30 -04:00
Bob Gendler
ed6abbb8e7 Merge pull request #645 from trewwwsec/main
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details 
fix: Silicon update for SystemProfiler model name
 2026-03-27 09:43:10 -04:00
trewwwsec
e5ee943013 fix: Silicon update for SystemProfiler model name 2026-03-26 17:06:58 -07:00
Bob Gendler
437d69e04d Merge pull request #642 from nancysangani/fix/pwpolicy-history-enforce-cis-lvl1-lvl2-odv 
fix(pwpolicy_history_enforce): update CIS lvl1/lvl2 ODV from 15 to 24
 2026-03-26 12:19:00 -04:00
Bob Gendler
fe1119b3f3 Merge pull request #643 from nancysangani/fix/system-settings-screensaver-timeout-cis-lvl1-lvl2-odv 
fix(system_settings_screensaver_timeout_enforce): update CIS lvl1/lvl2 ODV from 1200 to 900
 2026-03-26 12:17:43 -04:00
Bob Gendler
0336fe582c refactor[rules] Updates to check/fix/ddm 
Updated check fix for os_root_disable - in checking and disabling this way, sudo will function how some are expecting

Updated rules for ddm info for 26.4
 2026-03-26 12:15:51 -04:00
Allen Golbig
45ca50c487 modified check to not use mdmclient 2026-03-26 11:49:32 -04:00
Allen Golbig
c7e6bb6619 fixed check 2026-03-26 09:17:30 -04:00
Nancy
6891200b30 fix(system_settings_screensaver_timeout_enforce): update CIS lvl1/lvl2 ODV from 1200 to 900 2026-03-22 20:27:55 +05:30
Nancy
bdfc342f6e fix(pwpolicy_history_enforce): update CIS lvl1/lvl2 ODV to 24 for macOS 26 2026-03-22 19:17:03 +05:30
Bob Gendler
aaf6970248 Specify Dockerfile path in container publish workflow 2026-03-19 15:02:33 -04:00
Bob Gendler
d5020bd939 Create Dockerfile 2026-03-19 15:01:40 -04:00
Bob Gendler
405816b65d Add GitHub Actions workflow for container build and publish 2026-03-19 14:57:16 -04:00
Dan Brodjieski
2febaa38e2 fix: correct STIG references
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details
2026-03-18 11:11:03 -04:00
Dan Brodjieski
00924f2138 Merge branch 'dev_tahoe_bio' into tahoe
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details
2026-02-18 14:43:42 -05:00
Dan Brodjieski
15e1d339fb chore: remove legacy and unused rules
Some checks failed
Spell Check / spellcheck (push) Has been cancelled
Details
2026-02-18 14:42:47 -05:00
Dan Brodjieski
b3a830a655 chore: remove ddm tags 2026-02-18 14:41:57 -05:00
Dan Brodjieski
02a623ca8b chore: update references 2026-02-18 14:41:43 -05:00
Bob Gendler
df6d916464 Merge pull request #634 from root3nl/tahoe 
New rules for to Software Update Settings
 2026-02-18 11:19:18 -05:00
Jordy Witteman
1069eab978 Merge branch 'tahoe' of https://github.com/root3nl/macos_security into tahoe 2026-02-13 10:34:16 +01:00
Jordy Witteman
a1587b80ad Add disability to remove BSI rule 
Add `system_settings_background_security_improvement_removal_disable` to `nlmapgov_plus` and replaces `os_rapid_security_response_removal_disable`
 2026-02-13 10:34:12 +01:00
Jordy Witteman
2a41d94f91 Add new rule to disable BSI rollbacks using DDM 
Add new rule `system_settings_background_security_improvement_removal_disable` to disable the ability for users to roll back Background Security Improvements. This is the modern replacement and DDM equivalent for `os_rapid_security_response_removal_disable`

Force enable BSI is done with the `system_settings_security_update_install` and tested using macOS 26.3. The `Enable` key in https://developer.apple.com/documentation/devicemanagement/softwareupdatesettingsrapidsecurityresponseobject does not cause BSI to be automatically installed. The recent BSI testplan confirms this.

Add enforcement of BSI in discussion of `system_settings_security_update_install`
 2026-02-13 10:33:59 +01:00
Aron van den Herik
bb1af1d979 Include system_settings_macos_updates_install_enforce 
Included new `system_settings_macos_updates_install_enforce` rule in nlmapgov_base and nlmapgov_plus. This replaces previous rule `system_settings_macos_updates_install_enforce`.
 2026-02-13 09:31:45 +01:00
Bob Gendler
61a320ef61 Merge pull request #632 from root3nl/tahoe 
NLMAPGOV baselines for macOS 26
 2026-02-12 10:42:42 -05:00
Aron van den Herik
519eaccfea Add system_settings_macos_updates_install_enforce 
Add new rule `system_settings_macos_updates_install_enforce` to enforce automatic macOS updates using DDM `InstallOSUpdates: AlwaysOn`. Current `system_settings_install_macos_updates_enforce` relies on now deprecated configuration in `com.apple.SoftwareUpdate`.
https://developer.apple.com/documentation/devicemanagement/softwareupdate
 2026-02-06 16:17:15 +01:00
Jordy Witteman
35f595ad53 Remove os_config_data_install_enforce 
Remove `os_config_data_install_enforce` as it became deprecated in macOS 26. Replaces by `system_settings_security_update_install`. https://support.apple.com/en-us/101591
 2026-01-27 20:53:20 +01:00
Jordy Witteman
5e4452fe21 Add ODV for os_unlock_active_user_session_disable 
Add ODV for os_unlock_active_user_session_disable
 2026-01-27 20:52:09 +01:00
Aron van den Herik
453b51c3a2 Add system_settings_external_intelligence_sign_in_disable to nlmapgov_plus 
Add `system_settings_external_intelligence_sign_in_disable` to `nlmapgov_plus` as part of DLP best practices in BIO 8.12.01 rule. Replaces previous addition of `system_settings_external_intelligence_disable`
 2026-01-27 16:27:13 +01:00
Aron van den Herik
7e1ac0fbb1 Replaced system_settings_critical_update_install_enforce with system_settings_security_update_install 
Removed system_settings_critical_update_install_enforce rule from both nlmapgov_base and nlmapgov_plus baselines and replaced with system_settings_security_update_install rule.
 2026-01-27 15:22:28 +01:00
Aron van den Herik
6ebc9a602f Remove system_settings_software_update_download_enforce from baselines 
Removed system_settings_software_update_download_enforce rule from both nlmapgov_base and nlmapgov_plus baselines. This rule was replaced with system_settings_download_software_update_enforce.
 2026-01-27 15:15:42 +01:00
Jordy Witteman
53369ec9bc Update nlmapgov_plus baseline 
Update nlmapgov_plus baseline with new rule `system_settings_external_intelligence_disable`
 2026-01-27 14:44:08 +01:00
Jordy Witteman
74de7b89c9 Add system_settings_external_intelligence_disable to nlmapgov_plus 
Add `system_settings_external_intelligence_disable` to `nlmapgov_plus` as part of DLP best practices in BIO 8.12.01 rule
 2026-01-27 14:04:10 +01:00
Jordy Witteman
645a371d04 Add ODV to system_settings_softwareupdate_current 
Add ODV to system_settings_softwareupdate_current. ODV is set to 7 days based on BIO rule 8.08.01
 2026-01-27 11:55:37 +01:00
Jordy Witteman
a49250839e Include BIO 8.27.01 in additional rules 
Include BIO 8.27.01 in additional rules as there is some overlap with 8.12.01. Some rules now have both referenced.
 2026-01-27 11:54:50 +01:00
Aron van den Herik
39c162cb85 Merge pull request #6 from aronvandenherik/tahoe 
Updated O-maatregel-nummers
 2026-01-27 09:41:19 +01:00
Aron van den Herik
8d3efea7a6 Updated O-maatregel-nummers 
Updated O-maatregel-nummers for multiple rules:
- 8.09 to 8.09.01
- 8.12 to 8.12.01
- 8.17 to 8.17.01

8.09, 8.12 and 8.17 are controls from **NEN-EN-ISO/IEC 27002** and are no longer included in BIO2 v1.2, but are referenced in _deel 1 Kader BIO2, verplichtingen BIO_
 2026-01-20 13:12:10 +01:00
Jordy Witteman
69a77f31ce Baselines updated macOS 26 
- Changed references to macOS 26 using newly generated baselines
- Software update rules replaced with new ones for macOS 26
 2026-01-06 17:12:40 +01:00
Jordy Witteman
a48e589b7e Merge pull request #5 from root3nl/sequoia 
Sequoia NLMAPGOV baselines to Tahoe
 2026-01-06 16:48:25 +01:00
Jordy Witteman
17146f44c2 Merge branch 'tahoe' into sequoia 2026-01-06 16:45:21 +01:00
Bob Gendler
22471fd4a8 Merge pull request #609 from brodjieski/main 
Update cspell dictionary
 2026-01-05 13:26:48 -05:00
Dan Brodjieski
b6f4550296 chore: add project word to dictionary 2025-12-29 11:17:44 -05:00
Dan Brodjieski
e98d16aec6 Merge branch 'usnistgov:main' into main 2025-12-23 10:09:00 -05:00
Dan Brodjieski
b0fed4810b chore: update cspell dictionaries 2025-12-23 10:08:07 -05:00
Dan Brodjieski
4b1712c261 Merge pull request #608 from usnistgov/dev_tahoe_issue607 
Dev tahoe issue607
 2025-12-22 14:58:03 -05:00